Secure & best practice of file & folder sharing between laptops & PCs

Posted on 2016-07-18
Last Modified: 2016-07-26
I'm drafting something for IT guys if they want to share their files/info within the team
& we don't have SharePoint currently.

For sure, passwords & sensitive info like payslips must not be shared this way.

Besides sharing out explicitly using NTFS permissioning (I think this is equivalent of
using icacls), what other measures should we undertake?

a) is a network share  (ie Windows  'net share sharename=c:\myfolder' ) encrypted?
b) how can we prevent domain admins from accessing the information/file/folder?
c) should we set up firewall rules to permit only ppl within same team (say
    netadmins) to access the share?  But we have an issue in that some of the
    PCs are on DHCP (ie non static IP)
d) any other measures?
Question by:sunhux
  • 3
  • 2
  • 2
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41718169
Disk level Encryption will not work as the share will be un-encrypted over the share.
use groups for share permissions and get granular with ntfs permissions
domain admins are by definition local admins so even a deny for domainadmins group can be overridden easily.
c cannot be done easily.

you could use winzip / winrar /7zip to encrypt the files and only the users that should have permissions have the password

Author Comment

ID: 41719019
is it a good practice to use Windows Firewall to permit PCs of specific IP range to access
as in our case, our IT dept uses a specific range of DHCP IP while users of each dept
uses different range.

What's the Tcp & Udp ports used by Windows "net share " & can we customize these
ports to use some other ports (just like some Ssh server, Ftp server can be made to
listen on different ports).

So when data is copied over from a Windows Network share, it's not encrypted?
LVL 63

Accepted Solution

btan earned 250 total points
ID: 41719181
Even the NTFS permission is a huge chunk to ensure not only access right but be role based (security group like Department or Job) specific to determine who can (identity assigned) and to what resource (file & folder) with what permission given (right mgmt. if poss otherwise ACL using least privileged to do the job)- you can catch it here

one problem faced with file shares which is not about ACL or having right mgmt. enforced in document but it is the manageability of "Folder Spread" - multiple folder and file created at root folder overloads not only the system resource of indexing but also hard to track security activities
and in fact make it easier for Ransomware to spread to all folder and files from the root by enumerating for each file server instance. We need to limit exposure assuming the event infection or malware start to propagate and jump from server to server to spread infection. So practice is for
- root folder (administrator, read only root-level folder)
-- "horizontal" folder mgmt  with logical restricted no of child folder (limit to max 10 folders and each is based on unique department purpose)
-- "vertical" folder/file mgmt. to limit to the file path not to be more than the 255 char naming length (do not advocate too deep of folder as data can be lost easily when it is missed out for backup of targeted backup of certain data type, it reduce the file I/O access too)

- Have an overall access matrix to chart the security assignment to the file shares (as the resource)
- Be able to mapped to the central security group and user assigned as well as the file share in the authorized system.
- Have audit trails for access enabled
- Separate critical or time sensitive folder out into other server or mapped into other drive.
- Differentiate between classified and non-classified information and further restrict access to public access (enterprise level) and private (dept, team, user level)
- Set permission once the folder access level is determine to separate read-only and working (writable)within the mapped shares
- Avoid over segregation of folder such as "folder spread" and minimize the depth of folder with limited path name (use easily interpreted naming to determine its purpose)

I heard of the use of decoy folder purpose to make the Ransomware work hard such that it keep enumerating into the sub-folder - in a sense lost in the maze - such that alert of such anomalous access can be trigger centrally for quick response...
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.


Author Comment

ID: 41719634
> - Have audit trails for access enabled
Could point me to a link which give instructions on enabling audit trail/logging if a shared
folder or file(s) are being accessed (copied, read, edited & deleted)?

> classified and non-classified information
So admin passwords (of servers, domain admin, firewalls etc) should not be shared, while network diagrams,
IP address list is classified while documents meant for corporate-wide viewing (say Security Policy) is non-

> use of decoy folder purpose to make the Ransomware work hard
We have quite a number of ransomware attacks, so will be nice to elaborate this
LVL 63

Assisted Solution

btan earned 250 total points
ID: 41720086
A PDF guide that provides step-wise instructions to enable auditing on file server and track every changes into real time -

Classification is based on context and owner discretion to the level of protection. There should be level of classification amd guidance on classifying information and not a wild guess. Thise ip address and network diagram are unique to your enterpriae and should be treated with strict confidence esp when it is wide enterprise used. Everyone in enterprise access does not means it is non classified. They are different matter in fact it is even more pertinent to emphasis to treat these corporate info as privileged info.

A good read on tje anti Ransomware strategy include decoy files and recursive folder
Another way of impeding ransomware was proposed on the Free Forensics blog. This method involves setting up infinitely-recursive directories by taking advantage of certain features of the Windows file system. Ransomware that attempts to traverse the file system to locate the files it needs to encrypt will get stuck in such a sinkhole, giving the victim the opportunity to react to the infection.
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41726171
So when data is copied over from a Windows Network share, it's not encrypted? It can be if using SMB 3.0. The default is not encrypted since it has considerable overhead

The ports are fixed (port 445) and defined by IANA
LVL 63

Expert Comment

ID: 41726185
To add on classification for enterprise wide info, they can be only for internal reading and not public access so rightfully, it should be classified as Restricted minimally. Security policy is classified as Restricted in that sense. If there is need to share classified info, the advice is to declassified and sanitised before sharing with external parties esp the contractor. Otherwise, strict handlibg must be authorised and oversee by the enterprise staff.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question